Expert: US in cyberwar arms race with China, Russia

First Lt Michael Newman examines a server rack that is isolated from the Internet at the Air Force Space Command Network Operations & Security Center at Peterson Air Force Base in Colorado Springs, Colo., in July 2010.

By Robert Windrem, Senior Investigative Producer, NBC News

The United States is locked in a tight race with China and Russia to build destructive cyberweapons capable of seriously damaging other nations’ critical infrastructure, according to a leading expert on hostilities waged via the Internet.

Scott Borg, CEO of the U.S. Cyber Consequences Unit, a nonprofit institute that advises the U.S. government and businesses on cybersecurity, said all three nations have built arsenals of sophisticated computer viruses, worms, Trojan horses and other tools that place them atop the rest of the world in the ability to inflict serious damage on one another, or lesser powers.

Ranked just below the Big Three, he said, are four U.S. allies: Great Britain, Germany, Israel and perhaps Taiwan.

But in testament to the uncertain risk/reward ratio in cyberwarfare, Iran has used attacks on its nuclear program to bolster its offensive capabilities and is now developing its own "cyberarmy," Borg said.

Borg offered his assessment of the current state of cyberwar capabilities Tuesday in the wake of a report by the American computer security company Mandiant linking hacking attacks and cyber espionage against the U.S. to a sophisticated Chinese group known as “Peoples Liberation Army Unit 61398.

According to a new White House report released today, cyber spying and other forms of economic espionage are a growing national security threat – especially from China, where hackers are able to quietly and discreetly acquire source code from U.S. companies. NBC's Andrea Mitchell reports.

In today’s brave new interconnected world, hackers who can defeat security defenses are capable of disrupting an array of critical services, including delivery of water, electricity and heat, or bringing transportation to a grinding halt. U.S. senators last year received a closed-door briefing at which experts demonstrated how a power company employee could take down the New York City electrical grid by clicking on a single email attachment, the New York Times reported.

U.S. officials rarely discuss offensive capability when discussing cyberwar, though several privately told NBC News recently that the U.S. could "shut down" the electrical grid of a smaller nation -- Iran, for example – if it chose to do so.

Borg echoed that assessment, saying the U.S. cyberwarriors, who work within the National Security Agency, are “very good across the board. … There is a formidable capability.”

“Stuxnet and Flame (malware used to disrupt and gather intelligence on Iran's nuclear program) are demonstrations of that,” he said. “… (The U.S.) could shut down most critical infrastructure in potential adversaries relatively quickly.”

China, Russia have different prioritiesBorg said China and Russia have similar capacity to cause mayhem, but have different priorities and skill sets.

usccu.us

Scott Borg says the U.S. possesses a 'formidable capability' to wage cyberwar.

“Russia is best at military espionage and operations,” he said. “That's what they have focused on for a long time. China is looking for crucial business information and technology. China's main focus is stealing technology. These things quite separate. You use different tools on critical infrastructure than you use for military espionage and different tools again on stealing technology."

Borg said that each has its strong suit. "The Russians are technically advanced. The Chinese just have more people dedicated to the effort, by a wide margin,” he said. “They are not as innovative or creative as the U.S. and Russia. China has the greatest quantity, if not quality."

Borg said the group featured in Mandiant’s report, the People’s Liberation Army Unit 61398, may be one of the most important groups working in China, but not necessarily the most important.

"There are at least two dozen groups carrying out aggressive operations against the U.S.,” he said. “They get in each other’s way and trip over one another, but they are all operating with the tacit approval of the Chinese government.

"They're not cooperating with each other because they don’t share capabilities," he added. "One group has good programming, but is bad at access or targeting."

The Chinese hacking efforts are so broad, Borg said, that the highest-ranking Chinese officials “almost certainly do not know what all the groups are doing,” or the consequences. As a result, he added, they have been embarrassed by reports like the one in Tuesday’s New York Times, which first reported on the Mandiant assessment.

China is the most likely of the superpowers to leave a calling card, making their work the easiest to track. "China is very arrogant in its authorship of cyberweapons,” Borg said. “It does little to conceal its identity."

That’s in sharp contrast to the Russians, who he noted are not above writing code in Chinese to throw off investigators.

While the U.S. could respond to ongoing cyberattacks from China and Russia by shutting down the power grid of "any of its adversaries” and causing severe physical damage, Borg said it is encumbered by several factors.

One is its vulnerability to cyberwarfare as the world’s most networked nation, he said.

And from a geopolitical standpoint, Borg said, the U.S. would not want to badly damage the economy of either China or Russia. In fact, he said, the U.S. would almost certainly have to incorporate protections for critical systems like the power grid in any cyberattack.

Also, detecting the source of hostilities is not always easy, Borg said, as cybertracks are not as easy to follow as missile tracks. That means “mutually assured destruction,” the main strategic tenet of the Cold War, is problematic at best when talking about cyberwar, he said.

"It might be difficult to determine proportionate response,” he said. “It might not be simple to attack the attacker.”

For example, policymakers may think an attack has been carried out by the Chinese, when it was actually the work of the Russians or a rising power in the cyber world, like Iran. That is why intelligence -- getting insight into these operations -- is more important in a crisis than cyberforensics, which can take longer and not be as certain.

"There is no MAD in the Cold War sense," he said, "You can’t be 'assured' of attribution. The attack can be anonymous. It can be spoofed," or disguised as coming from another source.

Iran developing 'serious capability'The U.S. first began to develop its own offensive capabilities 20 years ago when several strategic thinkers, particularly at the Naval Post-Graduate School, began to see the possibilities. It was not so much a strategic priority, but more "people familiar with electronics and hackers exercising their imagination." (Borg says one of those thinkers, Winn Schwartau, used fiction to discuss the threat and the possibilities, in a 1991 book, "Terminal Compromise.")

While the U.S. has the means to respond and to defend itself, Borg notes that some countries have no recourse. He cited the Russian invasion of the Republic of Georgia in August 2008, when the Georgian government and media infrastructure was quickly compromised.

What was particularly interesting, Borg said, was that the Russian military and intelligence services weren’t directly involved.

"The first wave was carried by organized crime," he noted. "The second wave was carried out by a (hacker) group organized though social media.” He said Russian hackers could download the attack software from a variety of popular sites, including dating and gun-collecting websites.

In both cases, Borg concluded, the organizers apparently were tipped off early about the timing of Russian military operations, he said.

The attack on Georgia also illustrated another aspect of cyberwarfare, Borg said, noting that Georgia, Estonia and Lithuania afterward formed a cyberalliance, leaving them in a better position to deal with future assaults.

That also appears to be the case with Iran, which recently announced that it decided to establish cyber army and claimed to have 4,000 to 5,000 military personnel involved in defensive and offensive operations. That isn’t all bluster, Borg said, noting that when the U.S. leveled new sanctions on Iranian banks last year, U.S. banks suddenly came under attack.

"Iran is developing a serious capability," said Borg. “It's exaggerating the present capabilities, but it’s working toward the future."

That’s especially troubling because the risk of smaller nations waging cyberwar against one other may be higher than with the online superpowers, he said.

He cited reports indicating that Iran may have been behind what he called one of the more serious cyberattacks to date -- an assault last August on the Saudi Aramco computer network that disabled more than 30,000 computers used to control the flow of Saudi oil. The Saudi Interior Ministry blamed "foreign countries" for the attack.

Borg said he believes the attack was an "Iranian fundamentalist attack ... at some point loosely the under auspices of Iran, and blessed by Iran. The fundamentalist group made a claim of responsibility. ... “Based on technical analysis, the claim has credibility."

For that reason, Borg says he is less worried about the possibility of China or Russia launching a catastrophic attack against the U.S. than he is about the emerging cyberpowers.

“What I’m really concerned about isn’t Russia or China, but attacks from Iran or terrorist groups working with state actors,” he said.